"Prevention is better than cure."
An Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is primarily a preventive device designed not only to detect but also block malicious actions.
Depending on their physical location in the infrastructure, and the scope of protection required, the IDS's and IPS's fall into two basic types: network-based and host-based. Both have the same function and the specific type deployed depends on strategic considerations.
The IDS and IPS devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.
These exploits can manifest themselves as ill-intended interactions with a targeted application or service. The goal is to interrupt and gain control of an application or a machine, thus enabling the attacker to disable the target causing in a denial-of-service situation, or to gain access to rights and permissions available through the target.
There are four types of IDS and IPS events: true positive, true negative, false positive, and false negative.
The goal of implementing an IDS or IPS is to achieve only true positives and true negatives.
One should keep in mind that most implementations have false positives so monitoring engineers spend time investigating non-malicious events, and false negatives, which can lead to intrusions. Thus, proper configuration of the system is of crucial importance as it must reflect your organization's traffic patterns.
IDS vs. IPS
AND CURRENT TRENDS
Intrusion Detection Systems (IDS) are designed to provide readiness to prepare for, and deal with cyberattacks. This is accomplished through information collection from a variety of systems and network sources, which is then analyzed for security problems. IDS's are generally deployed with the purpose to monitor and analyze user and system activity, audit system configurations and vulnerabilities, assess the integrity of critical system and data files, perform statistical analysis of activity patterns based on the matching to known attacks, detect abnormal activity and audit operating systems.
The IPS is generally deployed in-line and analyses network packet traffic as it flows through. Thus, it is similar in function to an Intrusion Detection System (IDS) - both attempt to match packet data against a signature database or detect anomalies against what is pre-defined as "normal" traffic.
In addition to this IDS functionality, an IPS does more than log and alert - It is usually used to react to detected anomalies. This reaction ability to the detections is what makes IPS's more desirable than IDS's in general.
THE WHAT, WHERE and WHO's
OF IDS and IPS DEPLOYMENT
These questions are to be answered taking into account the specifics of your environment. The most common for intrusion detection/protection sensor locations are:
- Between your network and extranet
- In the Demilitarized Zone (DMZ)
- Between your servers and your user community
- On the remote access, intranet and database environment
You should be able to establish your network perimeter and to "cover" all possible points of entry.
Once placed the sensors must be configured to report to the central management console.
Dedicated administrators will manage the sensors, provide new or updated signature and review logs.
In order to avoid data tampering, you must ensure the communication between your sensors and management console is secure.
The proper identification of mission critical systems and points of entry requires the following roles in your organization must be involved in any IDS/IPS deployment:
- Senior Management
- Information Security Officers
- Data owners
- Network Administrators
- Database Administrators
- Operating System Administrators
If you do not involve the people representing these roles, your resources will not be used efficiently and the resulting measure will be inadequate.
It is strongly advisable to perform Vulnerability and Risk Assessment prior to implementing IDS or IPS.
Once your IDS is up and operational, logs must be reviewed, and traffic must be tailored to meet the specific needs of your company. Remember, traffic that may be perceived as abnormal by your IDS/IPS may be perfectly suitable for your environment. IDS's/IPS's must be properly maintained and configured.
TALK TO US
WE CAN HELP
There are times when you may feel you lack knowledgeable staff to deploy and administer the IDS/IPS. Here we come in. Instead of spending considerable amounts of time and money trying to figure out the how's and why's, we could come in with the expertise to get you started and train your personnel.
By talking to us you will gain valuable knowledge and help with a number of challenges facing IDS/IPS deployments:
- Eliminating false positives by systematic tuning of detection to meet the characteristics of the particular system
- Eliminating false negatives. Eliminating false positive alarms may result in encurring false negatives, and that must not happen
- Understand what constitutes a security relevant event and develop proper reporting
- Installation and configuration of a complete solution
- Provide and devise methods to test IDS/IPS
- Determine the damage caused by a detected attack, limit further damage, and recover from the attack
- Make your systems scalable to the size required